Apple Pay… a new crease for thieves

The following original blog post is from Damien Hugoo at Easy Solutions, provider of anti-fraud services to over 200 financial institutions.

Apple Pay went live yesterday. And while there has been much talk about how it’s going to disrupt the payment system, and how easy it will be to use, security is once again being overlooked in the urgency for speed and convenience above all else.

First, there’s the obvious concern about losing your phone. Americans lose their phones once every 3.5 seconds[1]. Apple Pay overnight raises the value of a lost iPhone, creating greater incentive for theft. We view this concern as similar to the concern over losing your credit card, but with the added risk that the thief now also has access to your email address, and your method of two-factor authentication for many services, making it easier to not only commit simple fraud, but also to more completely impersonate the victim, for more sophisticated fraud. While you can ‘find my phone’ and shut it down, this is not always instantaneous.

Second, and probably the bigger concern, is that the authentication mechanisms for validating cards is unclear. Apple seemed to have focused on security payment mechanisms such as tokenization and fingerprint (which we believe are solid steps). But payment can only be as secure as the authentication, which starts with registering cards to an account, as well granting access to a particular account.

Apple has not yet disclosed how they will authenticate cards before allowing their use. Without the proper authentication mechanisms, Apple may have just made it far easier for criminals to counterfeit credit cards from black market. Now you don’t need a physical card to make a purchase in person. You can simply take a picture of numbers superimposed (or photoshopped) on a card, and run with it.

And third, users add credit cards to their iPhones by taking pictures of them. As Jennifer Lawrence and others can attest to, Apple’s ability to securely store and transmit those photos remains to be answered. Depending on how they are being stored and transmitted, it would not be surprising to see malware developed around this mechanism.